Closed ReySka91 closed 5 months ago
@jaredfholgate can you take a look?
Hi @ReySka91. That is an old version of the code that does not support WIF. Make sure you are targeting v4 of the task.
Of course I checked everything else except the version. The init task works now after updating. Thanks!
Hello,
We have started converting our old Azure DevOps service connections from using client secrets to use workload identity federation. We do this by deleting the client secrets and adding a federated credential to the Azure AD app registration that is linked to the service connection.
According to your code, when the client secret is not used, your Terraform pipeline task adds the backend configuration 'use_msi = true' to the initialization command:
According to Terraform's documentation, 'use_msi = true' works only with Azure managed identities i.e. system-assigned and user-assigned identities: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/managed_service_identity#configuring-with-environment-variables
Now that we are using workload identity federation with app registrations (which are not managed identities) our pipelines fail on the initialization task on this error: /opt/hostedtoolcache/terraform/1.5.3/x64/terraform init -backend-config=use_azuread_auth=true -backend-config=storage_account_name=xxx -backend-config=container_name=tfstate -backend-config=key=infrastructure.application.tfstate:applicationprod -backend-config=resource_group_name=cloud-shell-storage-westeurope -backend-config=subscription_id=xxx -backend-config=tenant_id=xxx -backend-config=use_msi=true
Initializing the backend... ╷ │ Error: Failed to get existing workspaces: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://xxx.blob.core.windows.net/tfstate?comp=list&prefix=infrastructure.application.tfstate%3Aapplicationprodenv%3A&restype=container: StatusCode=400 -- Original Error: adal: Refresh request failed. Status Code = '400'. Response body: {"error":"invalid_request","error_description":"Identity not found"} Endpoint http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fstorage.azure.com%2F │ │ ╵
##[error]Error: The process '/opt/hostedtoolcache/terraform/1.5.3/x64/terraform' failed with exit code 1
Is this a bug that we can't use workload identity federation with service connections that link with Azure AD app registrations? Can the code be fixed to take this into consideration?
Thanks!